GSA, NSA test app to bridge the gap between agency PKIs

GSA, NSA test app to bridge the gap between agency PKIs

Feb 20, 2000

By Christopher J. Dorobek

GCN Staff

Digital signature certificates issued by one agency could be exchanged with other agencies through a prototype application that the General Services Administration and the National Security Agency tested this month.

Under the auspices of the Federal Public-Key Infrastructure Steering Committee, GSA successfully tested the first version of a bridge certificate authority, said Richard Guida, the committee's chairman.

If applied on a wider scale, the bridge could eventually result in interoperable digital certificates, overcoming what has been a major hurdle for the development of PKI applications within agencies, Guida said.

The bridge could let citizens use digital certificates issued by one agency at other agencies.

Digital signatures let users sign documents electronically; the digital certificates granted by certificate authorities tie a specific digital signature to a specific individual. But so far, certificates issued by one agency can't be used by other agencies. Without the bridge, each agency would create stovepipe PKI apps and citizens would need multiple certificates for electronic transactions with the government.

The goal of the bridge project is to avoid the certificate redundancies.

'Everyone is going to have a certificate for their own internal business,' said Judith A. Spencer, director of the Center for Governmentwide Security in GSA's Federal Technology Service. 'This will allow us to take those certificates and use them for interagency commerce.'

GSA has created a certificate authority that will let agencies share digital certificates and conduct secure communications over the Internet.

Bridge builders

The FTS center and Mitretek Systems of McLean, Va., developed the bridge prototype.

For the test, FTS used a digital certificate issued by GTE Cybertrust of Needham Heights, Mass., and NSA used a certificate issued by Entrust Technologies Inc. of Plano, Texas.

The FTS certificate resides in a Microsoft Windows NT environment; at NSA, the agency is using workstations running SunSoft Solaris for its certificate work.

During the test, the two agencies exchanged the digital certificates.

At that point, a user at GSA and a user at NSA were able to send electronically signed messages securely over the Internet using their individual digital certificates.

The steering committee plans to expand the bridge to include other agencies' certificate authorities, including those of the Defense Department and the National Institute of Standards and Technology. GSA also plans to let the Canadian government use the bridge.

One daunting task is establishing a policy for the use of the certificates, Guida said. The steering committee must make sure that participants are comfortable with the level of security.

Upper and lower

Invariably, certificates will have different levels of assurance. Some certificates can be obtained online without any proof of the person's identity. Others, especially those proposed by organizations that demand higher levels of security, require that an individual's information be verified before granting a certificate.

The Federal PKI Steering Committee has drafted a certificate policy. The draft, which is more than 60 pages, sets out how certificates will relate to one another.

Under the policy, there would be four levels of security: high, medium, basic and rudimentary. The plan is to incorporate the four levels into later versions of the bridge, Guida said.

Meanwhile, the steering committee is working to establish a committee of volunteers from organizations that want to use the bridge, Guida said. The committee, he said, would be similar to a condominium association.

But no matter what policies are set, an agency will always have the option not to accept a certificate, Guida said.